The U.S. Securities and Exchange Commission (SEC) recently announced a ruling aimed at enhancing public companies’ cybersecurity risk management, strategy, governance and incident disclosure. To sum it up, companies must report cyberattacks within four days of determining an incident is “material” and divulge details about their cybersecurity programs annually.
With this long-anticipated ruling, the SEC calls on companies to increase transparency and accountability by providing their investors with “consistent, comparable and decision-useful” information about how they manage cybersecurity risks. While some enterprises are prepared to meet time-based disclosure regulations today, many must beef up their capabilities before the SEC requirements take effect in December 2023.
With the clock ticking, here are five actions CISOs and security leaders can take to prepare for SEC cybersecurity compliance and mitigate cyber risk:
1. Review your organization’s current incident response and reporting process. Having a solid playbook in place isn’t enough. It takes repetition and muscle memory to act quickly and decisively to minimize an attack’s impact. Conducting regular readiness exercises will help teams uncover technical gaps and process or communication breakdowns that could hinder timely response and disclosure.
2. Assess the threat landscape. Threat actors’ techniques change, but identity remains a constant in the attack lifecycle. According to the CyberArk 2023 Identity Security Threat Landscape Report, the number of human and machine identities is expected to balloon by 240%. Nearly half of all identities require sensitive access to perform their roles, making them appealing and plentiful targets for threat actors. And almost all (99%) security professionals expect an identity-related compromise to occur in their environment in the next year. When you consider the numbers and impact of recent major breaches, it’s clear this is no longer an identity and access management (IAM) or even a cybersecurity problem – this is a business problem. To properly manage risks to your business, you must understand where your most critical assets are, who (human identities) and what (machine identities) can access them, how these identities access them, when this happens and for how long.
3. Evaluate existing controls. As part of the SEC’s new rules, companies must add specific details about their cybersecurity programs in annual 10-K filings. Now is the time to analyze existing security controls and policies against recognized standards, such as the NIST Cybersecurity Framework or ISO/IEC 27002, to identify areas where your controls do not adequately mitigate your risk. From there, it comes down to prioritization. Most security leaders will focus on “buying back” the most risk in the shortest amount of time using the least amount of resources. Securing identities often rises to the top of prioritized lists, given the surge in human and machine identities and associated risks. With a sufficient sense of urgency, critical identity security controls (that emphasize Zero Trust and least privilege principles for monitoring and controlling access) can be implemented quickly – as is often done in the wake of actual breaches. It’s wise to focus initial steps on securing high-value targets that represent the greatest potential risk to the business:
After taking these steps, you can extend the breadth and depth of your defenses to mature your identity security strategy. If you’re looking for prescriptive guidance, check out the CyberArk Blueprint for Identity Security Success.
4. Prepare for “materiality” decision-making. As part of the SEC ruling, public companies must file a Form 8-K with the SEC within four days of determining a cyber incident is “material.” There are many factors to consider when determining the materiality of a cyber incident. Part of the CISO’s job is to rapidly assess the situation and provide relevant information (i.e., what happened, when, what was impacted, what is still unknown) to help their organization make that call. The ability to track all identities effectively, coupled with continuous threat detection and analysis, is one of the best ways to ascertain this information in a timely manner.
5. Sharpen business risk communication skills. As the organization’s cybersecurity “translator,” the CISO must communicate business risk to the Board effectively and efficiently – now even more so given time-based disclosure mandates. This means reframing technical metrics and demystifying cyber risk by using more relatable terms, such as financial or reputational impact. Explore ways to integrate cost-benefit analysis into your organization’s existing cybersecurity framework to help quantify risk and mitigation ROI for key control areas. In the meantime, continue professional development pursuits to sharpen your communications and change management skills. And actively broaden your professional network, as there may be times when you’ll need to “phone a friend” (for instance, a fellow CISO/CIO or insurance expert) to help explain the implications of a cyberattack to the Board.
Building Cyber Resilience Through Enhanced Collaboration
The SEC’s new time-based ruling is one of many government steps to push the ball forward. Yet building cyber resilience takes significant collaboration on all fronts.
At an organizational level, CISOs must get even closer to their Boards and business stakeholders. Regular conversations and relationship-building efforts are key to understanding their priorities, challenges and risk tolerance. With these insights security leaders can shape “big picture” cybersecurity programs that align to key business goals, maximize risk reduction and hold up under investor scrutiny.
In the same vein, more cooperative action across private and public sectors is needed to raise our collective defense and protect our borderless networks from evolving threats. These cybersecurity reports to the SEC should be rapidly analyzed and anonymized for distribution to the cyber defense community. If properly implemented, this SEC initiative can be used with others to help enable all of us working together to reach the vision of the former Office of the National Cyber Director: “You need to beat all of us to beat one of us.”
James Imanian is Senior Director of the U.S. Federal Technology Office at CyberArk.